Difference between revisions of "SELinux/Install"

From Funtoo
Jump to navigation Jump to search
Line 88: Line 88:


{{console|body=
{{console|body=
###i## FEATURES="-selinux" emerge -1 selinux-base
###i## FEATURES="-selinux -sesandbox" emerge -1 selinux-base
}}
}}
== Installation ==
== Installation ==

Revision as of 09:35, September 16, 2016

Install SELinux

   Important

This document is work in progress. Do not use this as a reference!


Preparation

Since Python 2.7 provides most compatibility with SELinux, we will use it as our default interpreter.

root # eselect python list
Available Python interpreters, in order of preference:
  [1]   python2.7
  [2]   python3.4
  [3]   python3.5
root # eselect python set 1

Add SELinux policy types to make.conf

   /etc/portage/make.conf file
POLICY_TYPES="targeted strict"

Add SELinux mix-in

root # epro mix-in +selinux

Kernel configuration

You can use any kernel that supports SELinux, although it's advised to use hardened-sources since it provides additional hardened/security features.

root # emerge -av sys-kernel/hardened-sources
   Kernel configuration file
General setup
  [*] Auditing support

File systems
  <*> Second extended fs support
  [*] Ext2 extended attributes
  [ ]   Ext2 POSIX Access Control Lists
  [*]   Ext2 Security Labels
  < > The Extended 3 (ext3) filesystem
  <*> The Extended 4 (ext4) filesystem
  [ ]   Ext4 POSIX Access Control Lists
  [*]   Ext4 Security Labels
  < >   Ext4 Encryption

Security options
  [*] Enable different security models
  [*] Socket and Networking Security Hooks
  [*] NSA SELinux Support
  [ ]  NSA SELinux boot parameter
  [ ]  NSA SELinux runtime disable
  [*]  NSA SELinux Development Support
  [ ]  NSA SELinux AVC Statistics
  (1)  NSA SELinux checkreqprot default value
  [ ]  NSA SELinux maximum supported policy format version
     Default security module (SELinux) --->

Reboot

Compile the kernel with the new configuration and reboot.

Install necessary SELinux packages

root # emerge -a1 checkpolicy policycoreutils
root # FEATURES="-selinux" emerge -a1 selinux-base

Choosing the SELinux policy

   /etc/selinux/config
# This file controls the state of SELinux on the system on boot.
  
# SELINUX can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=permissive
  
# SELINUXTYPE can take one of these four values:
#       targeted - Only targeted network daemons are protected.
#       strict   - Full SELinux protection.
#       mls      - Full SELinux protection with Multi-Level Security
#       mcs      - Full SELinux protection with Multi-Category Security
#                  (mls, but only one sensitivity level)
SELINUXTYPE=targeted
root # FEATURES="-selinux -sesandbox" emerge -1 selinux-base

Installation

root # FEATURES="-selinux -sesandbox" emerge selinux-base-policy
root # emerge -auvDN @world
   /etc/fstab - Setting rootcontext for /tmp and /run
# For a "targeted" or "strict" policy type:
tmpfs  /tmp  tmpfs  defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t  0 0
tmpfs  /run   tmpfs  mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t  0 0

# For an "mls" or "mcs" policy type:
tmpfs  /tmp  tmpfs  defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t:s0  0 0
tmpfs  /run   tmpfs  mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t:s0  0 0

Reboot

root # shutdown -r now

Relabeling packages

root # rlpkg -a -r
root # shutdown -r now

Setting SELinux booleans

root # setsebool -P global_ssp on

Check if users have proper roles

root # id -Z
unconfined_u:unconfined_r:unconfined_t

If your output is the same as above you are now ready to switch your SELinux to enforcing

   /etc/selinux/config - Enforcing security policy
# This file controls the state of SELinux on the system on boot.
  
# SELINUX can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing
  
# SELINUXTYPE can take one of these four values:
#       targeted - Only targeted network daemons are protected.
#       strict   - Full SELinux protection.
#       mls      - Full SELinux protection with Multi-Level Security
#       mcs      - Full SELinux protection with Multi-Category Security
#                  (mls, but only one sensitivity level)
SELINUXTYPE=targeted

Reboot

root # shutdown -r now

Check your SELinux status

root # sestatus -v